Cyber-security firm Group IB has released a report on a hacker group named Cobalt,currently ransacking ATMs throughout Europe.
The report details how, using malicious software which is unique to the group and triggered using mobile phones, the group is able to force ATMs to essentially spit out cash.
Cobalt has carried out this attack in 14 different countries including Russia, the UK, the Netherlands and Malaysia.
Named 'touchless jackpotting', the technique employed does not involve any physical change to ATMs. There are no card skimmers or modifications made to the machine. Instead, bank systems are infected using tools that are apparently widely available in public sources.
Group IB said in its report: “To make ATMs give out cash, criminals launch malware using the Extensions for Financial Services (XFS) standard. On command from the bank's internal network, the program starts dispensing notes until machines are empty.”
The report explains that after each successful operation, the program records a specific log ,a file named disp.txt, with information on the number of banknotes dispensed from the ATM cassette.
The operator sends this log file to the organiser, who uses this data to control the ‘jackpotting' chain. Once these actions are complete, Group IB says that the hackers erase all malware traces using SDelete, a free tool available on the Microsoft website. On top of this, the report says criminals knockout internal bank servers using the MBRkiller, which is malware capable of removing the MBR or master boot record.
“Such a careful approach significantly complicates further investigation,” the company said. It went on to explain that the malware that makes ATMs spit out cash on demand is unique and is believed to be used by one hacker group only.
The shortest time taken to obtain total control over the banking network is 10 minutes.
Offering a stark warning, Dmitry Volkov, head of the investigation department and the Bot‑Trek intelligence service said: “Logical attacks on ATMs are expected to become one of the key threats targeting banks: they enable cyber-criminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services.”
Volkov added: “This type of attack does not require development of expensive advanced software – a significant amount of the tools used are widely available on the deep web. Every bank is under threat of logical attacks on ATMs and should be protected accordingly.”
The report reads, “If you have detected trails of a targeted attack at any stage, you need to involve specialised companies for its analysis. Incorrect responses to this type of attack will result in the bad actor activity remaining partly undetected allowing criminals achieve their goal – theft of cash.”
Speaking with Reuters, Diebold Nixdorf and NCR Corp, the world's two largest ATM manufacturers, said they were “aware of the attacks and have been working with customers to mitigate the threat.”
Mark Gazit, CEO of ThetaRay, told SCMagazineUK.com: “Banks will continue to be hit by cyber fraud, new malware-based Trojans, cyber money laundering, and attacks on ATMs. In order to stay protected, banks will need new mitigation capabilities including predictive tools, data analytics and multi-level authentication techniques to keep out the fraudsters.”